All KDE version prior to KDE 3.4 on systems where multiple users have access.

2. Overview:

Sebastian Krahmer of the SUSE LINUX Security Team reported a local denial of service vulnerability in KDE's Desktop Communication Protocol (DCOP) daemon better known as dcopserver.

A local user can lock up the dcopserver of arbitrary other users on the same machine by stalling the DCOP authentication process.

Although it is not possible to by pass the authentication process this way, it can cause a significant reduction in desktop functionality for the affected users.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0396 to this issue.

3. Impact:

A local user can lock up the dcopserver of arbitrary other users on the same machine. This can cause a significant reduction in desktop functionality for the affected users including, but not limited to, the inability to browse the internet and the inability to start new applications.

4. Solution:

Upgrade to KDE 3.4.

For older versions of KDE Source code patches have been made available which fix these vulnerabilities. Contact your OS vendor / binary package provider for information about how to obtain updated binary packages.

Since version 3.2 KDE and it's webbrowser Konqueror have support for International Domain Names (IDN). Unfortunately this has made KDE vulnerable to a phishing technique known as a

Homograph attack.

IDN allows a website to use a wide range of international characters in its domain name. Unfortunately some of these characters have a strong resemblance to other characters, so called homographs. This makes it possible for a website to use a domain name that is technically different from another well known domain name, but has no or very little visual differences.

This lack of visual difference can be abused by attackers to trick users into visiting malicious websites that resemble a well known and trusted website in order to obtain personal information such as credit card details.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0237 to this issue.

For KDE 3.4 KDE and the Konqueror webbrowser have adopted a whitelist of domains for which IDN is safe to use because the registrar for these domains has implemented anti-homographic character policies or otherwise limited the available set of characters to prevent spoofing.

3. Impact:

Users can be tricked into visiting a malicious website that resembles a well known and trusted website without getting any visual indication that this website differs from the one the user was expecting to visit.

4. Solution:

Upgrade to KDE 3.4.

For older versions of KDE Source code patches have been made available which fix these vulnerabilities. Contact your OS vendor / binary package provider for information about how to obtain updated binary packages.

All KDE versions in the KDE 3.2.x and KDE 3.3.x series. This problem only affects users who compile KDE or KDE applications themselves.

2. Overview:

The dcopidlng script is vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files of a user when the script is run on behalf of that user.

The dcopidlng script is run as part of the build process of KDE itself and may be used by the build process of third party KDE applications.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0365 to this issue.

3. Impact:

The dcopidlng script is vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files of a user when that user compiles KDE or third party KDE applications that use the dcopidlng script as part of their build process.

4. Solution:

Upgrade to KDE 3.4.

For older versions of KDE Source code patches have been made available which fix these vulnerabilities.